WordPress Single Sign On | Three29

Single Sign on WordPress

Eduard Florea

Former VP of Technology

Posted in web

What is Single Sign On?

Well, the name pretty much says it all. Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each system. It’s the same as having a master key to your house, you can get into any room with just a single key.


Why do you need it?

When you have a couple of clients on WordPress it’s easy to remember your admin account and manage their sites, however when you start to have more than 30 clients, keeping track of which account allows access to what website gets really challenging. So why not have only one account and be able to login from one WordPress site into different WordPress sites on different servers?! It makes everything more organized, so whenever a client requests a change or addition, we don’t have to go to them and ask for the password. Instead, we have a secure method of accessing their sites, allowing us to securely make the requested changes.




How does it work?

We built 2 plugins – the SSO server and the SSO client. We installed the SSO server plugin onto the main WordPress platform where all the necessary information to access a client’s website is securely stored. The SSO client plugin is then installed onto any WordPress site and then set up, with proper permissions of course. Every time you want to manage a WordPrss site you login to the main platform and from there you can choose whichever WordPress site you want to access.

How secure is it?

The SSO server and the SSO client know about each other; they communicate using secure random tokens that only they know. Each of the tokens is generated for a matter of seconds, authentication of the tokens then takes place in order to ensure that the proper server is connecting to the proper client. If the tokens do not properly authenticate, then the connection is rejected, allowing access only authorized users.


How did you do it?

Everything starts with a fresh cup of coffee and <?php. We began by creating the SSO server plugin, written from scratch, then setup how the plugin was communicating and what actions it could perform. From there we moved onto the SSO client plugin, and set it up so that only certain actions could actually be performed from the server.  We used WordPress’s action hooks to manage what actions are being called from the SSO server to SSO client and vice versa. We then built a custom database table to handle the tokens and their authentication. Of course, once testing passed our QA and everything was good, we deployed it!